Cloud computing is growing at a rapid pace due to its many advantages, which include the ability to store data, process data, and communicate without having to maintain your own hardware and, in some cases, without having to maintain various layers of a software stack on top of that hardware. Meanwhile, storing data and performing computing in the cloud may raise privacy and legal questions. For example, some industries may have regulatory requirements about where their data can be stored. Certain countries and economic zones may have laws and regulations governing where the data of their residents and companies may be stored. Further, some entities may wish to prevent other actors, such as governments, from having the ability to access their data. For example, a sovereign state may wish to prevent another sovereign state from having access to data either in transit or at rest.
To address these concerns, sovereign clouds are being developed, in which data and processing is restricted to a certain scope and access by outside parties is prevented. In some instances, sovereign clouds are restricted by geographic scope. For example, a German sovereign cloud (such as the BLACK FOREST sovereign cloud developed by Microsoft Corporation) may be solely hosted in Germany, with all servers in the German sovereign cloud being physically located in Germany and communicating using network links solely within Germany. In such a configuration, parties outside of Germany, such as a U.S. company, are technically unable to access or modify data within the German cloud, even if compelled by court order in a jurisdiction outside of Germany. A sovereign cloud may be referred to more generally as an isolated cloud, in contrast to a non-isolated, or public, cloud.
Tenants of sovereign clouds may wish to allow their users to interact with users of other sovereign clouds or of a public cloud. Further, tenants of a sovereign cloud may wish to allow their users to access public services and applications that rely on data stored in the public cloud as opposed to the sovereign cloud.
Prior to the invention described below, identifying whether a user is a member of a tenant in a sovereign cloud, and more particularly which sovereign cloud, was technologically difficult. An application in the public cloud (referred to for convenience as a “public application”) might need to be specifically configured for each tenant, and maybe even with a list of users of that tenant, so that the public application would know to which sovereign cloud a user belonged. Such manual configuration might in fact be necessary for each public application.
Further, authenticating a user when that user's authentication data resides in a sovereign cloud posed technological challenges for developers of public applications. Still further, beyond authenticating the user, authorizing access to public resources for sovereign cloud users raised additional technological hurdles.
The background description provided here is for the purpose of generally presenting the context of the disclosure. Work of the presently named inventors, to the extent it is described in this background section, as well as aspects of the description that may not otherwise qualify as prior art at the time of filing, are neither expressly nor impliedly admitted as prior art against the present disclosure.